| // Copyright 2016 The Prometheus Authors |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| //go:build go1.8 |
| // +build go1.8 |
| |
| package config |
| |
| import ( |
| "bytes" |
| "context" |
| "crypto/sha256" |
| "crypto/tls" |
| "crypto/x509" |
| "encoding/json" |
| "errors" |
| "fmt" |
| "io/ioutil" |
| "net" |
| "net/http" |
| "net/url" |
| "os" |
| "strings" |
| "sync" |
| "time" |
| |
| "github.com/mwitkow/go-conntrack" |
| "golang.org/x/net/http2" |
| "golang.org/x/oauth2" |
| "golang.org/x/oauth2/clientcredentials" |
| "gopkg.in/yaml.v2" |
| ) |
| |
| // DefaultHTTPClientConfig is the default HTTP client configuration. |
| var DefaultHTTPClientConfig = HTTPClientConfig{ |
| FollowRedirects: true, |
| } |
| |
| // defaultHTTPClientOptions holds the default HTTP client options. |
| var defaultHTTPClientOptions = httpClientOptions{ |
| keepAlivesEnabled: true, |
| http2Enabled: true, |
| // 5 minutes is typically above the maximum sane scrape interval. So we can |
| // use keepalive for all configurations. |
| idleConnTimeout: 5 * time.Minute, |
| } |
| |
| type closeIdler interface { |
| CloseIdleConnections() |
| } |
| |
| // BasicAuth contains basic HTTP authentication credentials. |
| type BasicAuth struct { |
| Username string `yaml:"username" json:"username"` |
| Password SecretLoader `yaml:"password,omitempty" json:"password,omitempty"` |
| PasswordFile string `yaml:"password_file,omitempty" json:"password_file,omitempty"` |
| } |
| |
| // SetDirectory joins any relative file paths with dir. |
| func (a *BasicAuth) SetDirectory(dir string) { |
| if a == nil { |
| return |
| } |
| a.PasswordFile = JoinDir(dir, a.PasswordFile) |
| a.Password.SetFile(a.PasswordFile) |
| } |
| |
| // Authorization contains HTTP authorization credentials. |
| type Authorization struct { |
| Type string `yaml:"type,omitempty" json:"type,omitempty"` |
| Credentials SecretLoader `yaml:"credentials,omitempty" json:"credentials,omitempty"` |
| CredentialsFile string `yaml:"credentials_file,omitempty" json:"credentials_file,omitempty"` |
| } |
| |
| // SetDirectory joins any relative file paths with dir. |
| func (a *Authorization) SetDirectory(dir string) { |
| if a == nil { |
| return |
| } |
| a.CredentialsFile = JoinDir(dir, a.CredentialsFile) |
| a.Credentials.SetFile(a.CredentialsFile) |
| } |
| |
| // URL is a custom URL type that allows validation at configuration load time. |
| type URL struct { |
| *url.URL |
| } |
| |
| // UnmarshalYAML implements the yaml.Unmarshaler interface for URLs. |
| func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error { |
| var s string |
| if err := unmarshal(&s); err != nil { |
| return err |
| } |
| |
| urlp, err := url.Parse(s) |
| if err != nil { |
| return err |
| } |
| u.URL = urlp |
| return nil |
| } |
| |
| // MarshalYAML implements the yaml.Marshaler interface for URLs. |
| func (u URL) MarshalYAML() (interface{}, error) { |
| if u.URL != nil { |
| return u.Redacted(), nil |
| } |
| return nil, nil |
| } |
| |
| // Redacted returns the URL but replaces any password with "xxxxx". |
| func (u URL) Redacted() string { |
| if u.URL == nil { |
| return "" |
| } |
| |
| ru := *u.URL |
| if _, ok := ru.User.Password(); ok { |
| // We can not use secretToken because it would be escaped. |
| ru.User = url.UserPassword(ru.User.Username(), "xxxxx") |
| } |
| return ru.String() |
| } |
| |
| // UnmarshalJSON implements the json.Marshaler interface for URL. |
| func (u *URL) UnmarshalJSON(data []byte) error { |
| var s string |
| if err := json.Unmarshal(data, &s); err != nil { |
| return err |
| } |
| urlp, err := url.Parse(s) |
| if err != nil { |
| return err |
| } |
| u.URL = urlp |
| return nil |
| } |
| |
| // MarshalJSON implements the json.Marshaler interface for URL. |
| func (u URL) MarshalJSON() ([]byte, error) { |
| if u.URL != nil { |
| return json.Marshal(u.URL.String()) |
| } |
| return []byte("null"), nil |
| } |
| |
| // OAuth2 is the oauth2 client configuration. |
| type OAuth2 struct { |
| ClientID string `yaml:"client_id" json:"client_id"` |
| ClientSecret SecretLoader `yaml:"client_secret" json:"client_secret"` |
| ClientSecretFile string `yaml:"client_secret_file" json:"client_secret_file"` |
| Scopes []string `yaml:"scopes,omitempty" json:"scopes,omitempty"` |
| TokenURL string `yaml:"token_url" json:"token_url"` |
| EndpointParams map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"` |
| } |
| |
| // SetDirectory joins any relative file paths with dir. |
| func (a *OAuth2) SetDirectory(dir string) { |
| if a == nil { |
| return |
| } |
| a.ClientSecretFile = JoinDir(dir, a.ClientSecretFile) |
| a.ClientSecret.SetFile(a.ClientSecretFile) |
| } |
| |
| func (a *OAuth2) UnmarshalYAML(unmarshal func(interface{}) error) error { |
| type plain OAuth2 |
| *a = OAuth2{} |
| if err := unmarshal((*plain)(a)); err != nil { |
| return err |
| } |
| |
| if err := validateSecret("oauth2 client_secret", a.ClientSecret, "client_secret_file", a.ClientSecretFile); err != nil { |
| return err |
| } |
| |
| a.ClientSecret.SetFile(a.ClientSecretFile) |
| |
| return nil |
| } |
| |
| // HTTPClientConfig configures an HTTP client. |
| type HTTPClientConfig struct { |
| // The HTTP basic authentication credentials for the targets. |
| BasicAuth *BasicAuth `yaml:"basic_auth,omitempty" json:"basic_auth,omitempty"` |
| // The HTTP authorization credentials for the targets. |
| Authorization *Authorization `yaml:"authorization,omitempty" json:"authorization,omitempty"` |
| // The OAuth2 client credentials used to fetch a token for the targets. |
| OAuth2 *OAuth2 `yaml:"oauth2,omitempty" json:"oauth2,omitempty"` |
| // The bearer token for the targets. Deprecated in favour of |
| // Authorization.Credentials. |
| BearerToken SecretLoader `yaml:"bearer_token,omitempty" json:"bearer_token,omitempty"` |
| // The bearer token file for the targets. Deprecated in favour of |
| // Authorization.CredentialsFile. |
| BearerTokenFile string `yaml:"bearer_token_file,omitempty" json:"bearer_token_file,omitempty"` |
| // HTTP proxy server to use to connect to the targets. |
| ProxyURL URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"` |
| // TLSConfig to use to connect to the targets. |
| TLSConfig TLSConfig `yaml:"tls_config,omitempty" json:"tls_config,omitempty"` |
| // FollowRedirects specifies whether the client should follow HTTP 3xx redirects. |
| // The omitempty flag is not set, because it would be hidden from the |
| // marshalled configuration when set to false. |
| FollowRedirects bool `yaml:"follow_redirects" json:"follow_redirects"` |
| } |
| |
| // SetDirectory joins any relative file paths with dir. |
| func (c *HTTPClientConfig) SetDirectory(dir string) { |
| if c == nil { |
| return |
| } |
| c.TLSConfig.SetDirectory(dir) |
| c.BasicAuth.SetDirectory(dir) |
| c.Authorization.SetDirectory(dir) |
| c.OAuth2.SetDirectory(dir) |
| c.BearerTokenFile = JoinDir(dir, c.BearerTokenFile) |
| c.BearerToken.SetFile(c.BearerTokenFile) |
| } |
| |
| // Validate validates the HTTPClientConfig to check only one of BearerToken, |
| // BasicAuth and BearerTokenFile is configured. |
| func (c *HTTPClientConfig) Validate() error { |
| // Backwards compatibility with the bearer_token field. |
| if err := validateSecret("bearer_token", c.BearerToken, "bearer_token_file", c.BearerTokenFile); err != nil { |
| return err |
| } |
| if (c.BasicAuth != nil || c.OAuth2 != nil) && c.BearerToken.IsSet() { |
| return fmt.Errorf("at most one of basic_auth, oauth2, bearer_token & bearer_token_file must be configured") |
| } |
| if c.BasicAuth != nil { |
| err := validateSecret("basic_auth password", c.BasicAuth.Password, "password_file", c.BasicAuth.PasswordFile) |
| if err != nil { |
| return err |
| } |
| } |
| if c.Authorization != nil { |
| if c.BearerToken.IsSet() { |
| return fmt.Errorf("authorization is not compatible with bearer_token & bearer_token_file") |
| } |
| |
| err := validateSecret("authorization credentials", c.Authorization.Credentials, "credentials_file", c.Authorization.CredentialsFile) |
| if err != nil { |
| return err |
| } |
| |
| c.Authorization.Type = strings.TrimSpace(c.Authorization.Type) |
| if len(c.Authorization.Type) == 0 { |
| c.Authorization.Type = "Bearer" |
| } |
| if strings.ToLower(c.Authorization.Type) == "basic" { |
| return fmt.Errorf(`authorization type cannot be set to "basic", use "basic_auth" instead`) |
| } |
| if c.BasicAuth != nil || c.OAuth2 != nil { |
| return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured") |
| } |
| } else { |
| if c.BearerToken.IsSet() { |
| c.Authorization = &Authorization{Credentials: c.BearerToken} |
| c.Authorization.Type = "Bearer" |
| } |
| } |
| if c.OAuth2 != nil { |
| if c.BasicAuth != nil { |
| return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured") |
| } |
| if len(c.OAuth2.ClientID) == 0 { |
| return fmt.Errorf("oauth2 client_id must be configured") |
| } |
| if !c.OAuth2.ClientSecret.IsSet() { |
| return errors.New("either oauth2 client_secret or client_secret_file must be configured") |
| } |
| if err := validateSecret("oauth2 client_secret", c.OAuth2.ClientSecret, "client_secret_file", c.OAuth2.ClientSecretFile); err != nil { |
| return err |
| } |
| if len(c.OAuth2.TokenURL) == 0 { |
| return fmt.Errorf("oauth2 token_url must be configured") |
| } |
| if c.OAuth2.ClientSecret.IsSet() { |
| return fmt.Errorf("either oauth2 client_secret or client_secret_file must be configured") |
| } |
| } |
| return nil |
| } |
| |
| // UnmarshalYAML implements the yaml.Unmarshaler interface |
| func (c *HTTPClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { |
| type plain HTTPClientConfig |
| *c = DefaultHTTPClientConfig |
| if err := unmarshal((*plain)(c)); err != nil { |
| return err |
| } |
| |
| if err := validateSecret("bearer_token", c.BearerToken, "bearer_token_file", c.BearerTokenFile); err != nil { |
| return err |
| } |
| |
| c.BearerToken.SetFile(c.BearerTokenFile) |
| |
| if c.Authorization != nil { |
| if err := validateSecret("authorization credentials", c.Authorization.Credentials, "credentials_file", c.Authorization.CredentialsFile); err != nil { |
| return err |
| } |
| |
| c.Authorization.Credentials.SetFile(c.Authorization.CredentialsFile) |
| } |
| |
| if c.BasicAuth != nil { |
| if err := validateSecret("basic_auth password", c.BasicAuth.Password, "password_file", c.BasicAuth.PasswordFile); err != nil { |
| return err |
| } |
| |
| c.BasicAuth.Password.SetFile(c.BasicAuth.PasswordFile) |
| } |
| |
| if c.OAuth2 != nil { |
| if err := validateSecret("oauth2 client_secret", c.OAuth2.ClientSecret, "client_secret_file", c.OAuth2.ClientSecretFile); err != nil { |
| return err |
| } |
| |
| c.OAuth2.ClientSecret.SetFile(c.OAuth2.ClientSecretFile) |
| } |
| |
| return c.Validate() |
| } |
| |
| // UnmarshalJSON implements the json.Marshaler interface for URL. |
| func (c *HTTPClientConfig) UnmarshalJSON(data []byte) error { |
| type plain HTTPClientConfig |
| *c = DefaultHTTPClientConfig |
| if err := json.Unmarshal(data, (*plain)(c)); err != nil { |
| return err |
| } |
| return c.Validate() |
| } |
| |
| // UnmarshalYAML implements the yaml.Unmarshaler interface. |
| func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error { |
| type plain BasicAuth |
| return unmarshal((*plain)(a)) |
| } |
| |
| // DialContextFunc defines the signature of the DialContext() function implemented |
| // by net.Dialer. |
| type DialContextFunc func(context.Context, string, string) (net.Conn, error) |
| |
| type httpClientOptions struct { |
| dialContextFunc DialContextFunc |
| keepAlivesEnabled bool |
| http2Enabled bool |
| idleConnTimeout time.Duration |
| } |
| |
| // HTTPClientOption defines an option that can be applied to the HTTP client. |
| type HTTPClientOption func(options *httpClientOptions) |
| |
| // WithDialContextFunc allows you to override func gets used for the actual dialing. The default is `net.Dialer.DialContext`. |
| func WithDialContextFunc(fn DialContextFunc) HTTPClientOption { |
| return func(opts *httpClientOptions) { |
| opts.dialContextFunc = fn |
| } |
| } |
| |
| // WithKeepAlivesDisabled allows to disable HTTP keepalive. |
| func WithKeepAlivesDisabled() HTTPClientOption { |
| return func(opts *httpClientOptions) { |
| opts.keepAlivesEnabled = false |
| } |
| } |
| |
| // WithHTTP2Disabled allows to disable HTTP2. |
| func WithHTTP2Disabled() HTTPClientOption { |
| return func(opts *httpClientOptions) { |
| opts.http2Enabled = false |
| } |
| } |
| |
| // WithIdleConnTimeout allows setting the idle connection timeout. |
| func WithIdleConnTimeout(timeout time.Duration) HTTPClientOption { |
| return func(opts *httpClientOptions) { |
| opts.idleConnTimeout = timeout |
| } |
| } |
| |
| // NewClient returns a http.Client using the specified http.RoundTripper. |
| func newClient(rt http.RoundTripper) *http.Client { |
| return &http.Client{Transport: rt} |
| } |
| |
| // NewClientFromConfig returns a new HTTP client configured for the |
| // given config.HTTPClientConfig and config.HTTPClientOption. |
| // The name is used as go-conntrack metric label. |
| func NewClientFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (*http.Client, error) { |
| rt, err := NewRoundTripperFromConfig(cfg, name, optFuncs...) |
| if err != nil { |
| return nil, err |
| } |
| client := newClient(rt) |
| if !cfg.FollowRedirects { |
| client.CheckRedirect = func(*http.Request, []*http.Request) error { |
| return http.ErrUseLastResponse |
| } |
| } |
| return client, nil |
| } |
| |
| // NewRoundTripperFromConfig returns a new HTTP RoundTripper configured for the |
| // given config.HTTPClientConfig and config.HTTPClientOption. |
| // The name is used as go-conntrack metric label. |
| func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (http.RoundTripper, error) { |
| opts := defaultHTTPClientOptions |
| for _, f := range optFuncs { |
| f(&opts) |
| } |
| |
| var dialContext func(ctx context.Context, network, addr string) (net.Conn, error) |
| |
| if opts.dialContextFunc != nil { |
| dialContext = conntrack.NewDialContextFunc( |
| conntrack.DialWithDialContextFunc((func(context.Context, string, string) (net.Conn, error))(opts.dialContextFunc)), |
| conntrack.DialWithTracing(), |
| conntrack.DialWithName(name)) |
| } else { |
| dialContext = conntrack.NewDialContextFunc( |
| conntrack.DialWithTracing(), |
| conntrack.DialWithName(name)) |
| } |
| |
| newRT := func(tlsConfig *tls.Config) (http.RoundTripper, error) { |
| // The only timeout we care about is the configured scrape timeout. |
| // It is applied on request. So we leave out any timings here. |
| var rt http.RoundTripper = &http.Transport{ |
| Proxy: http.ProxyURL(cfg.ProxyURL.URL), |
| MaxIdleConns: 20000, |
| MaxIdleConnsPerHost: 1000, // see https://github.com/golang/go/issues/13801 |
| DisableKeepAlives: !opts.keepAlivesEnabled, |
| TLSClientConfig: tlsConfig, |
| DisableCompression: true, |
| IdleConnTimeout: opts.idleConnTimeout, |
| TLSHandshakeTimeout: 10 * time.Second, |
| ExpectContinueTimeout: 1 * time.Second, |
| DialContext: dialContext, |
| } |
| if opts.http2Enabled && os.Getenv("PROMETHEUS_COMMON_DISABLE_HTTP2") == "" { |
| // HTTP/2 support is golang had many problematic cornercases where |
| // dead connections would be kept and used in connection pools. |
| // https://github.com/golang/go/issues/32388 |
| // https://github.com/golang/go/issues/39337 |
| // https://github.com/golang/go/issues/39750 |
| |
| // Do not enable HTTP2 if the environment variable |
| // PROMETHEUS_COMMON_DISABLE_HTTP2 is set to a non-empty value. |
| // This allows users to easily disable HTTP2 in case they run into |
| // issues again, but will be removed once we are confident that |
| // things work as expected. |
| |
| http2t, err := http2.ConfigureTransports(rt.(*http.Transport)) |
| if err != nil { |
| return nil, err |
| } |
| http2t.ReadIdleTimeout = time.Minute |
| } |
| |
| // If a authorization_credentials is provided, create a round tripper that will set the |
| // Authorization header correctly on each request. |
| if cfg.Authorization != nil { |
| // Backwards compatibility: if you don't call Validate first, |
| // these fields might not be correctly initialized. |
| cfg.Authorization.Credentials.SetFile(cfg.Authorization.CredentialsFile) |
| if _, _, err := cfg.Authorization.Credentials.Get(); err != nil { |
| return nil, fmt.Errorf("unable to retrieive authorization credentials: %w", err) |
| } |
| rt = NewAuthorizationCredentialsRoundTripper(cfg.Authorization.Type, cfg.Authorization.Credentials, rt) |
| } |
| // Backwards compatibility, be nice with importers who would not have |
| // called Validate(). |
| cfg.BearerToken.SetFile(cfg.BearerTokenFile) |
| if cfg.BearerToken.IsSet() { |
| if _, _, err := cfg.BearerToken.Get(); err != nil { |
| return nil, fmt.Errorf("unable to retrieve bearer token: %w", err) |
| } |
| rt = NewAuthorizationCredentialsRoundTripper("Bearer", cfg.BearerToken, rt) |
| } |
| |
| if cfg.BasicAuth != nil { |
| // Backwards compatibility: if you don't call Validate first, |
| // these fields might not be correctly initialized. |
| cfg.BasicAuth.Password.SetFile(cfg.BasicAuth.PasswordFile) |
| if _, _, err := cfg.BasicAuth.Password.Get(); err != nil { |
| return nil, fmt.Errorf("unable to retrieive basic authorization password: %w", err) |
| } |
| rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, cfg.BasicAuth.Password, rt) |
| } |
| |
| if cfg.OAuth2 != nil { |
| // Backwards compatibility: if you don't call Validate first, |
| // these fields might not be correctly initialized. |
| cfg.OAuth2.ClientSecret.SetFile(cfg.OAuth2.ClientSecretFile) |
| if _, _, err := cfg.OAuth2.ClientSecret.Get(); err != nil { |
| return nil, fmt.Errorf("unable to retrieve OAuth2 client secret: %w", err) |
| } |
| rt = NewOAuth2RoundTripper(cfg.OAuth2, rt) |
| } |
| // Return a new configured RoundTripper. |
| return rt, nil |
| } |
| |
| tlsConfig, err := NewTLSConfig(&cfg.TLSConfig) |
| if err != nil { |
| return nil, err |
| } |
| |
| if len(cfg.TLSConfig.CAFile) == 0 { |
| // No need for a RoundTripper that reloads the CA file automatically. |
| return newRT(tlsConfig) |
| } |
| |
| return NewTLSRoundTripper(tlsConfig, cfg.TLSConfig.CAFile, newRT) |
| } |
| |
| type authorizationCredentialsRoundTripper struct { |
| authType string |
| authCredentials SecretLoader |
| rt http.RoundTripper |
| } |
| |
| // NewAuthorizationCredentialsRoundTripper adds the provided credentials to a |
| // request unless the authorization header has already been set. |
| func NewAuthorizationCredentialsRoundTripper(authType string, authCredentials SecretLoader, rt http.RoundTripper) http.RoundTripper { |
| return &authorizationCredentialsRoundTripper{authType, authCredentials, rt} |
| } |
| |
| func (rt *authorizationCredentialsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { |
| if len(req.Header.Get("Authorization")) == 0 { |
| req = cloneRequest(req) |
| secret, _, err := rt.authCredentials.Get() |
| if err != nil { |
| return nil, err |
| } |
| req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, secret)) |
| } |
| return rt.rt.RoundTrip(req) |
| } |
| |
| func (rt *authorizationCredentialsRoundTripper) CloseIdleConnections() { |
| if ci, ok := rt.rt.(closeIdler); ok { |
| ci.CloseIdleConnections() |
| } |
| } |
| |
| type authorizationCredentialsFileRoundTripper struct { |
| authType string |
| authCredentialsFile string |
| rt http.RoundTripper |
| } |
| |
| // NewAuthorizationCredentialsFileRoundTripper adds the authorization |
| // credentials read from the provided file to a request unless the authorization |
| // header has already been set. This file is read for every request. |
| func NewAuthorizationCredentialsFileRoundTripper(authType, authCredentialsFile string, rt http.RoundTripper) http.RoundTripper { |
| return &authorizationCredentialsFileRoundTripper{authType, authCredentialsFile, rt} |
| } |
| |
| func (rt *authorizationCredentialsFileRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { |
| if len(req.Header.Get("Authorization")) == 0 { |
| b, err := ioutil.ReadFile(rt.authCredentialsFile) |
| if err != nil { |
| return nil, fmt.Errorf("unable to read authorization credentials file %s: %s", rt.authCredentialsFile, err) |
| } |
| authCredentials := strings.TrimSpace(string(b)) |
| |
| req = cloneRequest(req) |
| req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, authCredentials)) |
| } |
| |
| return rt.rt.RoundTrip(req) |
| } |
| |
| func (rt *authorizationCredentialsFileRoundTripper) CloseIdleConnections() { |
| if ci, ok := rt.rt.(closeIdler); ok { |
| ci.CloseIdleConnections() |
| } |
| } |
| |
| type basicAuthRoundTripper struct { |
| username string |
| password SecretLoader |
| rt http.RoundTripper |
| } |
| |
| // NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has |
| // already been set. |
| func NewBasicAuthRoundTripper(username string, password SecretLoader, rt http.RoundTripper) http.RoundTripper { |
| return &basicAuthRoundTripper{username, password, rt} |
| } |
| |
| func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { |
| if len(req.Header.Get("Authorization")) != 0 { |
| return rt.rt.RoundTrip(req) |
| } |
| req = cloneRequest(req) |
| secret, _, err := rt.password.Get() |
| if err != nil { |
| return nil, fmt.Errorf("unable to read basic auth: %s", err) |
| } |
| req.SetBasicAuth(rt.username, strings.TrimSpace(secret)) |
| return rt.rt.RoundTrip(req) |
| } |
| |
| func (rt *basicAuthRoundTripper) CloseIdleConnections() { |
| if ci, ok := rt.rt.(closeIdler); ok { |
| ci.CloseIdleConnections() |
| } |
| } |
| |
| type oauth2RoundTripper struct { |
| config *OAuth2 |
| rt http.RoundTripper |
| next http.RoundTripper |
| secret string |
| mtx sync.RWMutex |
| } |
| |
| func NewOAuth2RoundTripper(config *OAuth2, next http.RoundTripper) http.RoundTripper { |
| return &oauth2RoundTripper{ |
| config: config, |
| next: next, |
| } |
| } |
| |
| func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { |
| secret, changed, err := rt.config.ClientSecret.Get() |
| if err != nil { |
| return nil, fmt.Errorf("unable to read oauth2 client secret: %s", err) |
| } |
| |
| secret = strings.TrimSpace(secret) |
| |
| if changed || rt.rt == nil { |
| config := &clientcredentials.Config{ |
| ClientID: rt.config.ClientID, |
| ClientSecret: secret, |
| Scopes: rt.config.Scopes, |
| TokenURL: rt.config.TokenURL, |
| EndpointParams: mapToValues(rt.config.EndpointParams), |
| } |
| |
| tokenSource := config.TokenSource(context.Background()) |
| |
| rt.mtx.Lock() |
| rt.secret = secret |
| rt.rt = &oauth2.Transport{ |
| Base: rt.next, |
| Source: tokenSource, |
| } |
| rt.mtx.Unlock() |
| } |
| |
| rt.mtx.RLock() |
| currentRT := rt.rt |
| rt.mtx.RUnlock() |
| return currentRT.RoundTrip(req) |
| } |
| |
| func (rt *oauth2RoundTripper) CloseIdleConnections() { |
| // OAuth2 RT does not support CloseIdleConnections() but the next RT might. |
| if ci, ok := rt.next.(closeIdler); ok { |
| ci.CloseIdleConnections() |
| } |
| } |
| |
| func mapToValues(m map[string]string) url.Values { |
| v := url.Values{} |
| for name, value := range m { |
| v.Set(name, value) |
| } |
| |
| return v |
| } |
| |
| // cloneRequest returns a clone of the provided *http.Request. |
| // The clone is a shallow copy of the struct and its Header map. |
| func cloneRequest(r *http.Request) *http.Request { |
| // Shallow copy of the struct. |
| r2 := new(http.Request) |
| *r2 = *r |
| // Deep copy of the Header. |
| r2.Header = make(http.Header) |
| for k, s := range r.Header { |
| r2.Header[k] = s |
| } |
| return r2 |
| } |
| |
| // NewTLSConfig creates a new tls.Config from the given TLSConfig. |
| func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) { |
| tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify} |
| |
| // If a CA cert is provided then let's read it in so we can validate the |
| // scrape target's certificate properly. |
| if len(cfg.CAFile) > 0 { |
| b, err := readCAFile(cfg.CAFile) |
| if err != nil { |
| return nil, err |
| } |
| if !updateRootCA(tlsConfig, b) { |
| return nil, fmt.Errorf("unable to use specified CA cert %s", cfg.CAFile) |
| } |
| } |
| |
| if len(cfg.ServerName) > 0 { |
| tlsConfig.ServerName = cfg.ServerName |
| } |
| // If a client cert & key is provided then configure TLS config accordingly. |
| if len(cfg.CertFile) > 0 && len(cfg.KeyFile) == 0 { |
| return nil, fmt.Errorf("client cert file %q specified without client key file", cfg.CertFile) |
| } else if len(cfg.KeyFile) > 0 && len(cfg.CertFile) == 0 { |
| return nil, fmt.Errorf("client key file %q specified without client cert file", cfg.KeyFile) |
| } else if len(cfg.CertFile) > 0 && len(cfg.KeyFile) > 0 { |
| // Verify that client cert and key are valid. |
| if _, err := cfg.getClientCertificate(nil); err != nil { |
| return nil, err |
| } |
| tlsConfig.GetClientCertificate = cfg.getClientCertificate |
| } |
| |
| return tlsConfig, nil |
| } |
| |
| // TLSConfig configures the options for TLS connections. |
| type TLSConfig struct { |
| // The CA cert to use for the targets. |
| CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"` |
| // The client cert file for the targets. |
| CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"` |
| // The client key file for the targets. |
| KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"` |
| // Used to verify the hostname for the targets. |
| ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"` |
| // Disable target certificate validation. |
| InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"` |
| } |
| |
| // SetDirectory joins any relative file paths with dir. |
| func (c *TLSConfig) SetDirectory(dir string) { |
| if c == nil { |
| return |
| } |
| c.CAFile = JoinDir(dir, c.CAFile) |
| c.CertFile = JoinDir(dir, c.CertFile) |
| c.KeyFile = JoinDir(dir, c.KeyFile) |
| } |
| |
| // UnmarshalYAML implements the yaml.Unmarshaler interface. |
| func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { |
| type plain TLSConfig |
| return unmarshal((*plain)(c)) |
| } |
| |
| // getClientCertificate reads the pair of client cert and key from disk and returns a tls.Certificate. |
| func (c *TLSConfig) getClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) { |
| cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile) |
| if err != nil { |
| return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err) |
| } |
| return &cert, nil |
| } |
| |
| // readCAFile reads the CA cert file from disk. |
| func readCAFile(f string) ([]byte, error) { |
| data, err := ioutil.ReadFile(f) |
| if err != nil { |
| return nil, fmt.Errorf("unable to load specified CA cert %s: %s", f, err) |
| } |
| return data, nil |
| } |
| |
| // updateRootCA parses the given byte slice as a series of PEM encoded certificates and updates tls.Config.RootCAs. |
| func updateRootCA(cfg *tls.Config, b []byte) bool { |
| caCertPool := x509.NewCertPool() |
| if !caCertPool.AppendCertsFromPEM(b) { |
| return false |
| } |
| cfg.RootCAs = caCertPool |
| return true |
| } |
| |
| // tlsRoundTripper is a RoundTripper that updates automatically its TLS |
| // configuration whenever the content of the CA file changes. |
| type tlsRoundTripper struct { |
| caFile string |
| // newRT returns a new RoundTripper. |
| newRT func(*tls.Config) (http.RoundTripper, error) |
| |
| mtx sync.RWMutex |
| rt http.RoundTripper |
| hashCAFile []byte |
| tlsConfig *tls.Config |
| } |
| |
| func NewTLSRoundTripper( |
| cfg *tls.Config, |
| caFile string, |
| newRT func(*tls.Config) (http.RoundTripper, error), |
| ) (http.RoundTripper, error) { |
| t := &tlsRoundTripper{ |
| caFile: caFile, |
| newRT: newRT, |
| tlsConfig: cfg, |
| } |
| |
| rt, err := t.newRT(t.tlsConfig) |
| if err != nil { |
| return nil, err |
| } |
| t.rt = rt |
| |
| _, t.hashCAFile, err = t.getCAWithHash() |
| if err != nil { |
| return nil, err |
| } |
| |
| return t, nil |
| } |
| |
| func (t *tlsRoundTripper) getCAWithHash() ([]byte, []byte, error) { |
| b, err := readCAFile(t.caFile) |
| if err != nil { |
| return nil, nil, err |
| } |
| h := sha256.Sum256(b) |
| return b, h[:], nil |
| |
| } |
| |
| // RoundTrip implements the http.RoundTrip interface. |
| func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { |
| b, h, err := t.getCAWithHash() |
| if err != nil { |
| return nil, err |
| } |
| |
| t.mtx.RLock() |
| equal := bytes.Equal(h[:], t.hashCAFile) |
| rt := t.rt |
| t.mtx.RUnlock() |
| if equal { |
| // The CA cert hasn't changed, use the existing RoundTripper. |
| return rt.RoundTrip(req) |
| } |
| |
| // Create a new RoundTripper. |
| tlsConfig := t.tlsConfig.Clone() |
| if !updateRootCA(tlsConfig, b) { |
| return nil, fmt.Errorf("unable to use specified CA cert %s", t.caFile) |
| } |
| rt, err = t.newRT(tlsConfig) |
| if err != nil { |
| return nil, err |
| } |
| t.CloseIdleConnections() |
| |
| t.mtx.Lock() |
| t.rt = rt |
| t.hashCAFile = h[:] |
| t.mtx.Unlock() |
| |
| return rt.RoundTrip(req) |
| } |
| |
| func (t *tlsRoundTripper) CloseIdleConnections() { |
| t.mtx.RLock() |
| defer t.mtx.RUnlock() |
| if ci, ok := t.rt.(closeIdler); ok { |
| ci.CloseIdleConnections() |
| } |
| } |
| |
| func (c HTTPClientConfig) String() string { |
| b, err := yaml.Marshal(c) |
| if err != nil { |
| return fmt.Sprintf("<error creating http client config string: %s>", err) |
| } |
| return string(b) |
| } |